Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180419014235.r6ykoznj6sgyb3m4@wfg-t540p.sh.intel.com>
Date: Thu, 19 Apr 2018 09:42:35 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Kees Cook <keescook@...omium.org>
Cc: kernel-hardening@...ts.openwall.com, linux-kbuild@...r.kernel.org,
	linux-kernel@...r.kernel.org, lkp@...org
Subject: BUG: KASAN: use-after-scope in ep_poll+0x1177/0x131b

Hi Kees,

FYI this happens in mainline kernel 4.17.0-rc1.
It at least dates back to v4.15-rc1 .

I just sent you a bisect report for c61f13eaa1 ("gcc-plugins: Add
structleak for more stack initialization") possibly related to this
error.

[   30.565138] init: Console is alive
[   30.574301] kmodloader (149) used greatest stack depth: 22824 bytes left
[   31.573627] init: - preinit -
[   31.628946] procd: - early -
[   31.715094] ==================================================================
[   31.716334] BUG: KASAN: use-after-scope in ep_poll+0x1177/0x131b:
						ep_poll at fs/eventpoll.c:1832
[   31.717242] Write of size 24 at addr ffff880000307b80 by task procd/1
[   31.718361]
[   31.718653] CPU: 0 PID: 1 Comm: procd Tainted: G                T 4.17.0-rc1 #1
[   31.719799] Call Trace:
[   31.720289]  print_address_description+0x69/0x24d:
						print_address_description at mm/kasan/report.c:257
[   31.721257]  ? ep_poll+0x1177/0x131b:
						ep_poll at fs/eventpoll.c:1832
[   31.721910]  kasan_report+0x219/0x34e:
						kasan_report_error at mm/kasan/report.c:355
						 (inlined by) kasan_report at mm/kasan/report.c:412
[   31.722589]  ep_poll+0x1177/0x131b:
						ep_poll at fs/eventpoll.c:1832
[   31.723218]  ? ep_send_events_proc+0x979/0x979:
						ep_poll at fs/eventpoll.c:1741
[   31.724120]  ? sched_clock_cpu+0xa9/0x14a:
						sched_clock_cpu at kernel/sched/clock.c:351
[   31.724861]  ? pvclock_read_flags+0x136/0x136:
						pvclock_clocksource_read at arch/x86/kernel/pvclock.c:79
[   31.725633]  ? print_lockdep_off+0x27/0x27:
						match_held_lock at kernel/locking/lockdep.c:3491
[   31.726387]  ? kvm_sched_clock_read+0x12/0x20:
						__preempt_count_sub at arch/x86/include/asm/preempt.h:81
						 (inlined by) kvm_clock_read at arch/x86/kernel/kvmclock.c:90
						 (inlined by) kvm_sched_clock_read at arch/x86/kernel/kvmclock.c:101
[   31.727184]  ? sched_clock+0x34/0x37:
						paravirt_sched_clock at arch/x86/include/asm/paravirt.h:175
						 (inlined by) sched_clock at arch/x86/kernel/tsc.c:228
[   31.727920]  ? __context_tracking_exit+0xb5/0x22b:
						atomic_read at include/asm-generic/atomic-instrumented.h:21
						 (inlined by) static_key_count at include/linux/jump_label.h:194
						 (inlined by) static_key_false at include/linux/jump_label.h:206
						 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48
						 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158
[   31.728750]  ? kvm_sched_clock_read+0x12/0x20:
						__preempt_count_sub at arch/x86/include/asm/preempt.h:81
						 (inlined by) kvm_clock_read at arch/x86/kernel/kvmclock.c:90
						 (inlined by) kvm_sched_clock_read at arch/x86/kernel/kvmclock.c:101
[   31.729508]  ? sched_clock+0x34/0x37:
						paravirt_sched_clock at arch/x86/include/asm/paravirt.h:175
						 (inlined by) sched_clock at arch/x86/kernel/tsc.c:228
[   31.730138]  ? sched_clock_cpu+0xa9/0x14a:
						sched_clock_cpu at kernel/sched/clock.c:351
[   31.730913]  ? clear_sched_clock_stable+0x115/0x115:
						sched_clock_cpu at kernel/sched/clock.c:346
[   31.731763]  ? find_held_lock+0x39/0x18d:
						find_held_lock at kernel/locking/lockdep.c:3536
[   31.732494]  ? lock_downgrade+0x730/0x730:
						lock_release at kernel/locking/lockdep.c:3929
[   31.733221]  ? lock_release+0xe6b/0xe6b:
						lock_acquire at kernel/locking/lockdep.c:3909
[   31.733917]  ? get_vtime_delta+0x19f/0x239:
						steal_account_process_time at kernel/sched/cputime.c:243
						 (inlined by) account_other_time at kernel/sched/cputime.c:260
						 (inlined by) get_vtime_delta at kernel/sched/cputime.c:706
[   31.734777]  ? in_sched_functions+0x35/0x35:
						___might_sleep at kernel/sched/core.c:6146
[   31.735513]  ? account_steal_time+0x35/0x35:
						get_vtime_delta at kernel/sched/cputime.c:695
[   31.736313]  ? mntput_no_expire+0x73/0x6fe:
						rcu_lock_acquire at include/linux/rcupdate.h:246
						 (inlined by) rcu_read_lock at include/linux/rcupdate.h:632
						 (inlined by) mntput_no_expire at fs/namespace.c:1196
[   31.737082]  ? syscall_slow_exit_work+0x5c2/0x5c2:
						syscall_trace_enter at arch/x86/entry/common.c:68
[   31.737969]  ? __fget_light+0xb3/0x305:
						__read_once_size at include/linux/compiler.h:188
						 (inlined by) arch_atomic_read at arch/x86/include/asm/atomic.h:31
						 (inlined by) atomic_read at include/asm-generic/atomic-instrumented.h:22
						 (inlined by) __fget_light at fs/file.c:735
[   31.738658]  ? __fget+0x366/0x366:
						__fget_light at fs/file.c:731
[   31.739231]  ? vtime_user_exit+0x134/0x16b:
						raw_write_seqcount_end at include/linux/seqlock.h:235
						 (inlined by) write_seqcount_end at include/linux/seqlock.h:388
						 (inlined by) vtime_user_exit at kernel/sched/cputime.c:770
[   31.739878]  ? __context_tracking_exit+0xb5/0x22b:
						atomic_read at include/asm-generic/atomic-instrumented.h:21
						 (inlined by) static_key_count at include/linux/jump_label.h:194
						 (inlined by) static_key_false at include/linux/jump_label.h:206
						 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48
						 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158
[   31.740811]  ? __context_tracking_exit+0xc6/0x22b:
						__read_once_size at include/linux/compiler.h:188
						 (inlined by) arch_atomic_read at arch/x86/include/asm/atomic.h:31
						 (inlined by) atomic_read at include/asm-generic/atomic-instrumented.h:22
						 (inlined by) static_key_count at include/linux/jump_label.h:194
						 (inlined by) static_key_false at include/linux/jump_label.h:206
						 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48
						 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158
[   31.741616]  ? do_sched_yield+0x2b7/0x2b7:
						default_wake_function at kernel/sched/core.c:3742
[   31.742351]  ? trace_raw_output_preemptirq_template+0xf9/0xf9:
						trace_hardirqs_on at kernel/trace/trace_irqsoff.c:787
[   31.743380]  do_epoll_wait+0x112/0x148:
						fdput at include/linux/file.h:39
						 (inlined by) do_epoll_wait at fs/eventpoll.c:2194
[   31.744126]  __ia32_sys_epoll_wait+0xd8/0xe0:
						__do_sys_epoll_wait at fs/eventpoll.c:2201
						 (inlined by) __se_sys_epoll_wait at fs/eventpoll.c:2198
						 (inlined by) __ia32_sys_epoll_wait at fs/eventpoll.c:2198
[   31.744915]  do_int80_syscall_32+0x436/0x8b6:
						do_syscall_32_irqs_on at arch/x86/entry/common.c:323
						 (inlined by) do_int80_syscall_32 at arch/x86/entry/common.c:346
[   31.745672]  ? do_syscall_64+0x84b/0x84b:
						do_int80_syscall_32 at arch/x86/entry/common.c:343
[   31.746268]  ? vtime_user_enter+0xba/0xef:
						raw_write_seqcount_end at include/linux/seqlock.h:235
						 (inlined by) write_seqcount_end at include/linux/seqlock.h:388
						 (inlined by) vtime_user_enter at kernel/sched/cputime.c:756
[   31.746951]  ? __context_tracking_enter+0x21d/0x266:
						__context_tracking_enter at kernel/context_tracking.c:97
[   31.747929]  ? __context_tracking_enter+0x21d/0x266:
						__context_tracking_enter at kernel/context_tracking.c:97
[   31.748817]  ? context_tracking_recursion_enter+0x4a/0x4a:
						__context_tracking_enter at kernel/context_tracking.c:62
[   31.749791]  ? trace_raw_output_sys_exit+0xc6/0xc6:
						exit_to_usermode_loop at arch/x86/entry/common.c:139
[   31.750662]  ? trace_hardirqs_on_caller+0x1b3/0x1b3:
						trace_hardirqs_off_caller at kernel/trace/trace_irqsoff.c:823
[   31.751532]  ? prepare_exit_to_usermode+0x230/0x262:
						prepare_exit_to_usermode at arch/x86/entry/common.c:184
[   31.752287]  ? trace_hardirqs_off_thunk+0x1a/0x1c:
						trace_hardirqs_off_thunk at arch/x86/entry/thunk_64.S:43
[   31.753106]  entry_INT80_compat+0x84/0x90:
						entry_INT80_compat at arch/x86/entry/entry_64_compat.S:410
[   31.753715]
[   31.753966] The buggy address belongs to the page:
[   31.754784] page:ffffea000000c1c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   31.756053] flags: 0x0()

Attached the full dmesg, kconfig and reproduce scripts.

Thanks,
Fengguang

View attachment "dmesg-vm-lkp-nhm-dp1-openwrt-ia32-9:20180416214450:x86_64-randconfig-s5-04161820:4.17.0-rc1:1" of type "text/plain" (56645 bytes)

View attachment ".config" of type "text/plain" (115199 bytes)

View attachment "job-script" of type "text/plain" (3788 bytes)

View attachment "reproduce-vm-lkp-nhm-dp1-openwrt-ia32-9:20180416214450:x86_64-randconfig-s5-04161820:4.17.0-rc1:1" of type "text/plain" (1937 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.